Series Introduction

Networks dominate today's computing landscape and
commercial technical protection is lagging behind attack technology. As
a result, protection program success depends more on prudent management
decisions than on the selection of technical safeguards. Managing
Network Security takes a management view of protection and seeks to
reconcile the need for security with the limitations of technology.

Some Recent Incidents

Over the last several months, the media has
described a number of interesting incidents in which people who are
acting under the color of legitimacy break into computer systems, are
arrested, and claim that what they did was just 'testing security'.
Indeed, in some cases they have bragged about their efforts as a way to
generate more business for their company, leading to their being
arrested.

The two most published recent accounts involve the
folks at ForensicTec who claim to have done the U.S. government a favor
by breaking into their computer systems and the admissions administrator
at Princeton who broke into a Yale admissions computer to look at
student applicant records.

The ForensicTec folks apparently wanted to prove
their skills, presumably in order to get a contract and launch
themselves into the limelight. Perhaps they will have a multi-year
exclusive with the government indeed, and of course they are in the lime
light. The academics probably didn't want to be left behind, and they
have certainly demonstrated that academia is no bastion of integrity,
but then the Ivy League schools have produced quite a few lawyers and
politicians, so whoever had any doubts before may now lay them to rest.

I want to make one really important note here.
Neither of these have gone to trial or been convicted of anything and I
certainly do not know the facts. So I guess my statements about them
should be taken not to indicate anything about the individuals, but
rather it should be taken to represent my views of the practices they
are accused of using. So to be as clear as I can, I believe it to be
immoral, unethical, and unprofessional to do such things and that by
doing so, and assuming they did, these individuals have smeared
themselves and their institutions.

Doing me a favor?

To be clear, you are not doing your local grocery
store a favor by breaking the front window at night and demonstrating
that you can take something out of the store. If you pick up a rock to
do it, it is likely not a big surprise when you tell them that you found
the rock in the street. If you come in by picking the lock on the back
door, even if you defeat the alarm first, you are just breaking and
entering, not doing them a favor.

It is easy to be a burglar, and many people try it,
and many get caught. It takes no expertise in security to do it, and
being able to throw a rock through a window is not related to the skills
associated with securing stores against theft. Finding a rock on the
street and applying it properly is not an indication of skill, and just
because you show me that you can do it, this does not make it a good
idea for me to replace all of my windows with bullet proof glass. The
day after I replace the windows you will try a shaped charge which you
purchased from your local underworld figure, and it will still work.

The same is true of network security. It is easy to
try attack script after attack script, and against the millions of
computers in the Federal government, you are virtually certain to find
something that works somewhere. It takes no expertise in network
protection to do it, and being able to run a script from off the
Internet against thousands of hosts is not related to the skills
associated with protecting those systems against attackers. Just
because you can find a script that breaks into my Windows doesn't make
it a good idea to replace all my Windows with FreeBSD. The day after I
change my operating systems, you will try a new FreeBSD break in,
perhaps purchased from your local computer crime group, and you may
still get in.

Preaching to the Choir

I know that I am preaching to the choir here, but I
thought I would start with my published site policy statement on
'Testing our Security':

Testing our Security
You are NOT authorized to test the security of this site, to
scan it for security related issues in any way, to verify the
appropriateness of its configurations, to validate that its
passwords are hard to guess, or to perform any other actions
that are not explicitly authorized herein.

Of course this should not have to be said. It is,
at least, obvious, and certainly I do not have to tell people not to
break the laws in order to prosecute them for it. After all, ignorance
of the law is no excuse. And yet, I figure it costs little enough to
include this warning, just in case it helps someone who was thinking of
doing it but wanted to see if it was fine with me first.

And what good does a policy statement do anyway?
That's simple. It provides notice. It does not prevent crime or
criminal activities, nor does building a bigger stronger firewall. All
it does is cause those who might be teetering on the brink another
reason to teeter back toward the good side.

So What Should We Do?

I believe that a 3 part process is appropriate for
this sort of situation; (1) Throw perpetrators in jail in a very public
way, (2) Use deceptions to make such simple 'break-ins' less meaningful,
and (3) Make prudent risk management decisions after such incidents.

Step 1: Throw them in jail and make it very public.
This has several benefits. It stops them from doing it again for some
time and clearly marks them as criminals. This has negative effects on
them and their families, but generally beneficial effects on reducing
the population of folks willing to try it next time. Another major
benefit is that, if we do this on a widespread basis and uniformly as a
society, it changes the social norms. It will also end the practice
among commercial companies because of the high liability, and eliminate
the irresponsible people who have been doing this all along to get
business, replacing them with responsible people who know more about the
issues but who do not break the law in doing their jobs.

Step 2: Use deceptions to counter the perception
issues. There are many ways to use deceptions to counter such things.
One way would be to provide easy to break into systems on your network
that contain false information so you can tell it was not a real
break-in, the information is unique and fingerprints the attacker as
having broken in to get it, and you get to tell the public that the
attackers were incompetent and you were doing your job well by revealing
that a deception had caused the attacker to think they succeeded when
they failed. Of course you can do this last element even if they did
break into something important and get real information. The point is
to make the attacker look like the fool in a very public way and also
to protect your real assets by seeing them coming.

Step 3: Make prudent risk management decisions. In
my view, the prudent decision in this sort of circumstance is for all
parties to settle quickly and for the perpetrators to be terminated for
cause (i.e., criminal activity), arrested, tried, and so forth. If one
of the parties will not go quickly into settlement, a civil suit may be
required. For example...

In the case of the US Government vs.
ForensicTek, and assuming that the facts in the newspapers are indeed
correct (which is a big stretch);(1) If it was corporate policy to do
these things, the company's top management should be arrested, etc. and
other ForensicTek customers should run away from doing business with
them as fast as possible. (2) If it was not company policy, the
perpetrators should be released by ForensicTek, all supporting evidence
should be provided to law enforcement, ForensicTek should assist in the
investigation and review its policies and procedures regarding hiring and
retention (it was management's fault that they let these folks into
trusted positions) and the company should make a clear statement that
this is not their policy. Customers should be reasonably understanding,
but they should also lower their level of trust in the company and
consider the implications to their business of trusted contractors
violating those trusts.

In the case of Princeton vs. Yale, Princeton
took reasonably prudent immediate action by suspending certain duties of
the accused perpetrator. I will assume for now that Princeton did not
initiate this activity as policy and does not condone or support the
activity. In my view, if the evidence supports the allegations, the
accused should be accused by the government. Princeton and Yale should
rapidly come to a financial settlement and some sort of agreement about
the future (perhaps Yale should get copies of all of the Princeton
applications for the next year), and they should issue a joint statement
indicating that they have put this behind them - terms undisclosed.

In the case of the government as well as Yale, it
would seem prudent to review their risk management decisions to assure
that the attacks that did happen were within their expected loss
manifolds. If not, mitigation should be taken and process changes made
to assure that future risk analysis better handles these issues.

In both cases the perpetrators should have their
rights well protected, including their rights to a speedy trial. If
they are found not guilty, they should be treated as if they never did
what they are currently accused of. If they are found guilty, unless it
is later found that they were not, they should be appropriately punished
by the legal system and they should not be placed in positions of such
trust unless and until they have demonstrated that they are again worthy
of such trust - the bar being raised somewhat because of historical
data.

An additional note of caution: I am not a lawyer and
I have no special information about these cases. I am using them as
examples of my thoughts on these issues and do not in any way intend to
imply that any of these parties is guilty or that I know one way or the
other. These are only being used as examples and nothing more.

Conclusions

I have said it before and I will likely say it
again. Breaking in is a poor way to test security, not because it
fails, but because you learn so little from it. Breaking in and
claiming it was just a way to test security should be treated as a
criminal act.

The trend in society to make everything a show and
to use hyperbole in order to market ideas seems to me to be closely
related to the trend to break into systems to demonstrate skills. But
of course the skills associated with breaking in are not those
associated with defending systems. When people come to me and tell me
that my computer systems are weak and that they can attack them
successfully, I am offended. But I don't just ignore them. I have a
standard bet that I offer. None have taken it up yet - at least not
formally.

Here's the bet. You bet that you can break into my
systems, and I bet I can have you thrown in jail. It's a simple matter
of risk management. Given that they can lose the bet by going to jail,
the uniformly back down. Do I learn about weaknesses in my computer
systems this way? No. But I learn about them in other ways... but that
is the subject for another article.

About The Author:

Fred Cohen is researching information protection as a
Principal Member of Technical Staff at Sandia National Laboratories,
helping clients meet their information protection needs as the Managing
Director of Fred Cohen and Associates, and doing research and education
as a Research Professor in the University of New Haven's Forensic
Sciences Program. He can be reached by sending email to fred at all.net or
visiting http://all.net/